Most companies face a no-win situation when screening third parties against evolving and expanding sanctions, watchlists, and other risk factors globally. On the one hand, they want to cast as wide a net as possible for thorough due diligence. On the other hand, their wide nets can catch many false positives.
If you or your team manages supply chain screening, you must accept that false positives are inevitable. There’s no such thing as a perfect data-matching engine. The technology relies heavily on the quality of the data passing through the software’s filters, so any number of factors can lead to false positives, from common names or dates to incomplete addresses, incorrect spelling, and missing information.
If you think manual search is better, think again. Staff members manually combing siloed, unconnected databases are not only labor-intensive but also prone to errors. Global sanctions and regulatory watch lists change so frequently that manual research only at the time of onboarding, or at a predetermined interval, is simply inadequate.
The above factors and the sheer volume mean that managing false positives is a major challenge for many businesses. Every instance of an alert needs to be reviewed, which can become a time-consuming activity. Time and effort spent reviewing each alert plus remediation can easily lead to backlogs, especially for companies with small compliance teams.
Since false positives are bound to happen, it’s imperative that your team is equipped to manage them. Who on your team is responsible for handling false positives? What’s your process for remediation? On average, how long and how many people does it take to review and resolve each false positive? These are some of the questions you need to answer to assess your capabilities.
The Challenges of False Positives
While it’s critical for companies to screen suppliers and other third parties during the selection and onboarding process, it doesn’t end there. To ensure a compliant value chain, you need continuous monitoring of third parties – preferably daily tracking of global sanctions, watch lists and political exposure, and adverse media.
Second, to protect your business you should monitor not only your direct third parties but also their associates. The more third parties you have, the bigger the network of associates and affiliates you’re going to need to monitor continuously. Screening individuals can generate significantly more false positives due to common names.
Third, a fast-evolving global marketplace means supplier risks can appear overnight when a crisis (e.g., the Russian invasion of Ukraine in 2022) occurs. Third parties that passed initial screening may suddenly be affected by new sanctions and restrictions.
Rules and regulations impacting due diligence, such as sanctions that reinforce anti-money laundering and countering-the-financing-of-terrorism (AML/CFT) programs, are also constantly changing and expanding. Just this year, the European Union approved stricter rules to close gaps in combating money laundering, terrorist financing, and evasion of sanctions.
Meanwhile, the U.S. Department of Treasury issued recommendations for financial institutions against indiscriminately terminating business relationships with potentially risky customers because that would actually drive financial activity outside of regulated channels. Instead, they should conduct proper due diligence and manage the risks.
False Positives at Scale
While false positives are inevitable, you can’t take them for granted. They can be harmful when they occur at scale and start hindering or delaying business opportunities.
Let’s say that during onboarding, one of your new suppliers triggers 10 alerts. Each of those alerts must be reviewed and remediated. What if that supplier is one of 5,000 in your third-party network and what if 10 more third parties each triggered a dozen alerts? Right off the bat, your compliance team is facing 120 alerts that need to be double-checked and resolved. And that’s just during onboarding. Imagine if this scenario continues to happen after onboarding. Your team will be overwhelmed by the workload, which could then lead to backlogs.
On the upside, your company is ultimately better off that those 70 issues were flagged even if they turned out to be false positives. What if the situation was reversed and your process showed false negatives? What if all your suppliers and third parties passed screening but they turned out to be genuinely risky or noncompliant?
Cost of False Positives
While there are no statistics on the rate of false positives in third-party screening, we can look to the figures provided by the Association of Certified Anti-Money Laundering Specialists (ACAMS), which estimates up to 90% of false positive rate when it comes to AML sanctions screening.
When analyzing the potential cost of false positives to missed-business opportunities some valuable examples can be drawn from other industries. In the retail industry, false positives (transactions falsely flagged as suspicious) cost U.S. merchants about $50 billion in sales in 2021, according to Atlanta-based payments consultancy CMSPI. In the financial sector, sales that were blocked by credit card companies’ fraud detection systems because of false positives cost them $118 billion in 2014 versus the cost of real card fraud, which only amounted to $9 billion that year.
Mitigating False Positives
The real harm of false positives lies in large numbers of alerts, which can be costly. Apart from the loss of actual sales or business opportunities, they are a major drain on internal resources. Your team’s time, effort, and skills shouldn’t be wasted on the tedious review of alerts.
The good news is, the management of false positives doesn’t have to be inefficient and costly. You don’t even have to hire more compliance staffers to keep up with the alerts. Find a reliable platform and service to outsource the burden of false positives. Choose a platform that combines robust automated tools with rigorous human intelligence.
At Ethixbase360, we understand that the better the data structure, the better the results. That’s why we focus on cleansing, structure, and completeness of data at the point of initial screening. Ethixbase360 also has dependable match scoring to ensure that filters are set to apply fuzzy logic to ensure aliases and naming conventions are covered. Fuzzy logic technology will capture spelling variations of names in case a character is omitted, inserted, or replaced accidentally or on purpose. When it comes to remediation, our trained and dedicated global team analyzes and clears false positives on behalf of both our screening and Enhanced Due Diligence customers, allowing clients to only review confirmed matches.
An effective third-party risk management (TPRM) process combined with the right tools, resources, and support can make all the difference whether you’ll sink or swim in a sea of false positives. We’re here to help.